Thanks Steve. We'll take our chances with the CVE name.
Stuart.
On Tuesday, January 29, 2002, at 01:47 PM, Steven M. Christey wrote:
> Stuart Staniford asked:
>
>> It would be somewhat nice to refer to the vulnerability by its CVE
>> name, but it's still a candidate at present. Is there any ETA for
>> when it might be approved?
>
> CAN-2001-0500 should become CVE-2001-0500 in the next CVE version. It
> has enough votes. It probably didn't make it into the last version
> because I didn't ACCEPT any candidates that had only been proposed to
> the Board within the previous 2 months or so.
>
> After the new round of candidates will come out (brace yourselves for
> ~200 tomorrow...) I will be working on creating a new CVE version,
> which will come out in mid-February. This new version should exceed
> 2000 entries.
>
> While it's theoretically risky to call this CVE-2001-0500 right now, I
> think it's a very good bet. If you include a link to the CVE web site
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0500), then
> the CVE web site will bring you to the right record, even if it's
> still a CAN for some unexpected reason.
>
> The transition of the name from CAN to CVE, and its impact on making
> candidate numbers "obsolete" in written communications (not to mention
> voluminous databases), is one reason why I'd like to make the one-time
> change to the CVE naming scheme as alluded to in various conversations
> in the past. I'm still thinking about how to do this right, and
> *when* to do it. But a name that doesn't change from candidate to
> entry would provide additional stability that would avoid these types
> of problems.
>
> - Steve
>